The CPPA, the California regulatory body charged with enforcing CCPA, recently released draft regulations for use of automated decisionmaking technology. The draft comes under the law’s requirements for the agency to issue regulations on the topic. Under the law, automated decisionmaking technology is discussed in relation to profiling. Profiling is defined as “any form of automated processing of personal information” to analyze or predict people’s work performance, health, personal preferences, and the like. However, what constitutes “automated decisionmaking technology” is not defined.
CCPA calls for rules to give consumers the ability to opt out of use of these technologies, and to access information about how the tools are used to make decisions about them. The rules have fairly onerous obligations on those who use these technologies. As such, the definition of them -and the times when they are being used- is particularly important. Of concern for many is how broad the current definition is, namely, any system, software or process that helps in human decision making.
As proposed, the rules include the following obligations:
- Give consumers a “pre-use notice.” This notice would need to include, among other things, an explanation in plain language of how, specifically, the business will use these technologies. It also needs to outline how consumers can exercise their opt-out rights.
- Give consumers the ability to opt out of certain uses of the technologies. These include when they would be used to produce legal or similarly significant effects. It also includes times when a consumer is profiled while acting in their capacity as an employee, contractor, or job applicant. And, when profiling a consumer in a public place or for those known to be under 16. It also includes when trying to train automated decisionmaking technology.
- Give consumers information about how these technologies are being used to make decisions about them. For example, businesses must provide a direct notice to consumers if they make a decision using the technologies that results in the denial of goods or services. Businesses must also provide an explanation for the denial and information about the right to file a complaint with regulators.
- Implement processes for handling information of minors between the ages of 13 and 16 and children under 13. These include, for example, provide opt in consent for using such children’s information for behavioral advertising purposes.
The draft is not final, and received criticism at the CPPA’s recent public board meeting. There, the agency indicated that the intent was to facilitate public participation and board discussion. This draft follows other new draft regulations from the agency, including on risk assessments and cybersecurity audits.
Putting it into Practice: The regulations are not yet final. However, businesses can start preparing for the regulations by inventorying the various tools and technologies, including HR tools, that they use to facilitate human decision making.